* Avoid empty webhook processor work via cached subscription lookup
WebhookProcessor ran for every event but most teams have no matching
webhook subscription, costing an empty processor job and a database query
per event.
Cache a team's enabled subscriptions ({ id, events }) in Redis, invalidated
by model lifecycle hooks, and add an optional BaseProcessor.shouldQueue hook
consulted by the global event queue so the webhook processor only enqueues a
job when a matching subscription exists.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* feedback
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* fix: Increase valid user-supplied URL length to 1024
* fix: Wrap URL length migration in a transaction
Wrap the multi-column changeColumn operations in a transaction so a
failure on any column rolls back the whole migration rather than leaving
the database partially migrated.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* fix: Access request logic for collection managers
* test: Exercise collection-manager path in access request regression tests
Grant the non-workspace-admin manager a collection-level Admin membership
instead of a direct document-level membership, so authorization flows
through the collection-manager path being tested for #12567.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* Add tagging of outgoing emails
* Detect SES configured via well-known service key
The isSES check only matched "amazonaws" in the host, so SES configured
through SMTP_SERVICE (e.g. "SES" or "SES-US-EAST-1") was not detected and
tagging headers were not applied.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* perf: Lazy import mailparser, @fast-csv, and franc deps
Moves heavy dependencies off the startup path into the narrow async code
paths that actually use them, mirroring the mammoth lazy-import change:
- mailparser: only needed for Confluence Word imports (confluenceToHtml)
- @fast-csv/parse: only needed for CSV imports (csvToMarkdown)
- franc / iso-639-3: only needed by the DocumentUpdateText worker task
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* perf: Lazy import jsdom dep
jsdom is one of the heaviest server dependencies but is only needed for
HTML export (ProsemirrorHelper.toHTML) and HTML import
(DocumentConverter.htmlToProsemirror). Move it to a lazy `await import`
inside those methods so its dependency tree stays off the startup path.
Both methods become async; all callers were already in async contexts.
The type-only usage in patchGlobalEnv is now an `import type`.
* fix: Run single process when only the worker service is enabled
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* perf: Improve memory consumption through lazy service loading
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The FileOperation import association was fetched for every non-public
document but only used when sourceMetadata is present. Move the lookup
inside that branch to eliminate an N+1 query for documents that are not
imports, benefiting every endpoint that presents documents.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
The attachment cleanup loop used findAllInBatches, which advances an
OFFSET each iteration. Because the callback deletes each batch, the
remaining rows shift backwards and the advancing offset skips over them,
leaving attachments that still reference the team. team.destroy() then
failed with attachments_teamId_fkey.
Page from offset 0 until no attachments remain, and remove the now
redundant per-user attachment delete so the loop is the single
authoritative cleanup.
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
* fix: Allow service worker to load on custom domains
Add explicit worker-src 'self' so the service worker can register on
team custom domains. Without it, browsers fall back to script-src which
only lists env.URL and env.CDN_URL, blocking /static/sw.js on hosts
like docs.getoutline.com.
* fix: Switch worker-src approach to script-src 'self' for type safety
The @types/koa-helmet definitions don't include workerSrc. Add 'self'
to script-src instead — worker-src falls back to script-src per spec,
and 'self' matches the document origin on custom domains.
* fix: Properly add worker-src directive without script-src widening
Extract the CSP directives to a local variable so workerSrc can be
included despite koa-helmet's outdated type definitions missing it
(the underlying helmet supports it). Also drop @types/koa-helmet
since the package now ships its own (equivalent) types.
* fix: Normalize IP addresses to avoid validation errors on audit columns
Koa's `ctx.request.ip` can yield values that fail Sequelize's `isIP`
validation (X-Forwarded-For chains, IPv6 zone identifiers, "unknown"
from misconfigured proxies). This drops the IP metadata silently
instead of raising a 500 on Event/User writes.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* test: Cover IP normalization on User setters
Reviewer feedback. Also switches the column-options `set` to TypeScript
get/set accessors — the original approach was shadowed by the class
field declaration and never actually fired, which the new tests would
have caught.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Allow reordering subdocuments with document-only access
When a user has "Manage" (or any move-eligible) permission on a parent
document but no access to its collection, the sidebar drop cursors were
hidden because they gated on collection.isManualSort, and the move
handler bailed out because it built the payload from collection.id.
Fall back to the document's own collectionId and the move policy so the
reorder UX works for sourced document memberships.
* fix: Structure not refetched
parentDocumentId not provided
Attachments whose key ends in a trailing slash have no filename
component and cause yazl to throw, aborting the entire export. Skip
them with a warning and continue the export instead.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Guard against null collaboratorIds when persisting collaborative
updates; the DB column has no default and can be NULL on older rows.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* perf: Add missing indexes on foreign keys referencing documents
Cascade deletes on the documents table were forced into sequential scans
on file_operations, share_subscriptions, and access_requests because
their documentId columns lacked a usable single-column index.
Also fixes lint-staged to skip oxlint when every staged file matches an
.oxlintrc.json ignore pattern, since oxlint exits 1 in that case.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Handle oxlint no-files exit instead of mirroring ignorePatterns
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Update JSON importer to use zip streaming, new importer flow
* chore: Drop teamId from import urlId collision check and remove unused internal-id scaffolding
urlId is globally unique on Document/Collection so the team scope was wrong.
Also removes leftover internal-id generation in JSONAPIImportTask that was
never used in task input/output.
* Restore classes used upstream
* fix: documents.list with Draft status filter throws database error
The count() query referenced $memberships.id$ in WHERE but had no
membership include, causing "missing FROM-clause entry for table
memberships". The findAll path was also silently dropping drafts because
withMembershipScope defaulted to defaultScope (which filters publishedAt
!= null). Pre-fetch the user's UserMembership document IDs and filter by
id IN (...) on both find and count, and pass includeDrafts: true when
the Draft filter is active.
* Preserve template/trial filters when including drafts
* Move template/trial filters into withDrafts scope
* Revert withDrafts scope filters, apply at call site instead
Adding template/trial filters to withDrafts broke includes in places
like Share's withCollectionPermissions where the document include must
remain optional (LEFT JOIN) — adding a where promoted it to INNER JOIN
and dropped shares without a documentId.
* fix: Don't report upstream OAuth provider errors to Sentry
TokenError and AuthorizationError from passport-oauth2 represent
input problems from the upstream provider (expired or already-redeemed
codes, access_denied, etc) rather than server bugs. Log them at warn
level and redirect with the standard auth-error notice instead of
sending to the error reporter.
* Warn-only for OAuth provider errors, keep redirect flow shared
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Apply Postgres statement_timeout on request-handling processes
Sets `statement_timeout` to REQUEST_TIMEOUT on the Sequelize connection
pool when the process handles HTTP requests (web/api/collaboration/
websockets/admin) and does not also run worker/cron. Prevents a single
runaway query from saturating the shared Postgres instance and cascading
into timeouts across all endpoints.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Drop dead `api` service check
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Only apply statement_timeout in forked cluster workers
Skips the timeout in the master process so startup migrations driven
from `checkPendingMigrations` are not cancelled mid-execution.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Client disconnects mid-response surface as "Premature close" errors from
Node's stream end-of-stream helper. These are expected and add noise to
Sentry, similar to the EPIPE/ECONNRESET errors already filtered.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Allow deleting failed and canceled imports
The delete policy only permitted imports in the Completed state, so the
overflow menu for Errored or Canceled imports rendered with no items.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* test: Cover Errored and Canceled in imports.delete
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* perf: Move Markdown importer to zip stream
* refactor
* refactor: Extract zip walk + tree builder into ZipHelper
Adds `ZipHelper.walk` and `ZipHelper.toFileTree` so other importers can
stream zip contents without extracting to disk. Tree construction uses
an O(1) path → node map; `./`-prefixed entries are normalized, while
dotfiles, `__MACOSX`, and `..` segments are filtered.
* PR feedback
* Weekly insights rollup
* fix: Avoid eager db instance creation in DocumentInsight model
Importing sequelize at the top level triggered createDatabaseInstance
during module load, which caused unrelated test suites that transitively
require the model to fail. Use the instance-bound this.sequelize in the
static method instead.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Skip soft-deleted documents in weekly insights rollup
The weekly task was deleting daily rows for soft-deleted documents
without creating a weekly replacement, since rollupPeriod filters them
out. Join to documents in both the week-discovery query and the DELETE
to keep behavior consistent — historical daily rows for deleted docs are
left for the cleanup task to remove at the retention boundary.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* refactor: Bind cutoff days param and add date predicate in weekly rollup
Moves CUTOFF_DAYS from string interpolation to a bound parameter and
adds a plain `date <` predicate so the planner can use the
(documentId, date, period) index before evaluating date_trunc.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Unable to link secondary auth provider on custom domain
* doc
* chore: Custom -> Apex transfer token
* Refactor, address security concerns
* Ensure OAuth intent is single-use
* Secure OAuth state actor binding
* Use scrypt for OAuth actor session binding
Tom Moor